[PR #1968] fix DTVCC: Heap Buffer Overflow & Out-of-Bounds Read #2769

New Issue

Closed

opened 2026-01-29 17:23:48 +00:00 by claunia · 0 comments

claunia commented 2026-01-29 17:23:48 +00:00

Owner

Copy Link

Original Pull Request: https://github.com/CCExtractor/ccextractor/pull/1968

State: closed
Merged: Yes

---

In raising this pull request, I confirm the following (please check boxes):

• I have read and understood the contributors guide.
• I have checked that another pull request for this purpose does not exist.
• I have considered, and confirmed that this submission will be valuable to others.
• I accept that this submission may not be used, and the pull request closed at the will of the maintainer.
• I give this submission freely, and claim no ownership to its content.
• I have mentioned this change in the changelog.

My familiarity with the project is as follows (check one):

• I have never used CCExtractor.
• I have used CCExtractor just a couple of times.
• I absolutely love CCExtractor, but have not contributed previously.
• I am an active contributor to CCExtractor.

---

Description

fixed critical vulnerabilities in the DTVCC (CEA-708) decoder

Issues Fixed:

1. Heap Buffer Overflow in dtvcc_process_data

   • Trigger: Malformed CEA-708 streams with packet length > 128.
   • Fix: Added bounds check using CCX_DTVCC_MAX_PACKET_LENGTH.

2. Out-of-Bounds Read in dtvcc_process_current_packet

   • Trigger: Extended header (service_number 7) read beyond packet buffer.
   • Fix: Added length check to stop processing truncated extended headers.

Impact if unpatched:

• Heap memory corruption.
• Undefined behavior while processing malformed DTVCC streams.
• Potential crash during caption extraction.

Testing:

• Verified packets exceeding CCX_DTVCC_MAX_PACKET_LENGTH are safely ignored.
• Verified truncated extended headers do not cause memory over-read.
• Confirmed normal streams continue to decode correctly with no regression.

fixed #1966

**Original Pull Request:** https://github.com/CCExtractor/ccextractor/pull/1968 **State:** closed **Merged:** Yes --- <!-- Please prefix your pull request with one of the following: **[FEATURE]** **[FIX]** **[IMPROVEMENT]**. --> **In raising this pull request, I confirm the following (please check boxes):** - [x] I have read and understood the [contributors guide](https://github.com/CCExtractor/ccextractor/blob/master/.github/CONTRIBUTING.md). - [x] I have checked that another pull request for this purpose does not exist. - [x] I have considered, and confirmed that this submission will be valuable to others. - [x] I accept that this submission may not be used, and the pull request closed at the will of the maintainer. - [x] I give this submission freely, and claim no ownership to its content. - [x] **I have mentioned this change in the [changelog](https://github.com/CCExtractor/ccextractor/blob/master/docs/CHANGES.TXT).** **My familiarity with the project is as follows (check one):** - [ ] I have never used CCExtractor. - [ ] I have used CCExtractor just a couple of times. - [ ] I absolutely love CCExtractor, but have not contributed previously. - [x] I am an active contributor to CCExtractor. --- ### Description fixed critical vulnerabilities in the DTVCC (CEA-708) decoder **Issues Fixed:** 1. **Heap Buffer Overflow in `dtvcc_process_data`** - Trigger: Malformed CEA-708 streams with packet length > 128. - Fix: Added bounds check using `CCX_DTVCC_MAX_PACKET_LENGTH`. 2. **Out-of-Bounds Read in `dtvcc_process_current_packet`** - Trigger: Extended header (service_number 7) read beyond packet buffer. - Fix: Added length check to stop processing truncated extended headers. **Impact if unpatched:** - Heap memory corruption. - Undefined behavior while processing malformed DTVCC streams. - Potential crash during caption extraction. **Testing:** - Verified packets exceeding `CCX_DTVCC_MAX_PACKET_LENGTH` are safely ignored. - Verified truncated extended headers do not cause memory over-read. - Confirmed normal streams continue to decode correctly with no regression. fixed #1966

claunia added the pull-request label 2026-01-29 17:23:48 +00:00

claunia closed this issue 2026-01-29 17:23:48 +00:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

ci/dual-build-artifacts-windows

chore/update-pr-template

fix/teletext-json-report-cleanup

fix/wix-conditional-xml

fix/publish-workflow-timing

fix/input-scc-option

fix/palette-crate-fedora

pr-1782

fix/flutter-gui-v0.7.0-files

docs/changelog-upcoming

fix/goptime-and-startcredits-bugs

fix/bindgen-upgrade-1608

fix/tesseract-version-check-future-proof

fix/ccx-encoders-spupng-memory-safety

fix/freebsd-remarks

compatibility/xp

v0.96.6

v0.96.5

v0.96.4

v0.96.3

v0.96.2

v0.96.1

v0.96

v0.94

v0.93

v0.92

v0.91

v0.90

v0.89

v0.88

v0.87

v0.86

v0.85b

v0.85

v0.84

v0.83

v0.82

v0.81

v0.80

v0.79

v0.78

v0.77

v0.76

v0.75

v0.74

v0.73

v0.72

v0.71

v0.70

Labels

Clear labels

bug

CEA-708

difficulty: easy

difficulty: hard

difficulty: medium

DTMB

DVB

enhancement

enhancement

Flutter GUI

GCI19

good-first-task

GSoC 2021

GSOC-2023

GSOC-2023

GSOC-2023

GSoC-related

Hacktoberfest

HardsubX

help wanted

invalid

JokerTV

Mac / OSX

more-info-needed

needs-commercial-sponsor

needs-commercial-sponsor

needs-commercial-sponsor

needs-confirmation-of-being-broken

OCR

pull-request

Mirrored from GitHub Pull Request

Python

regression

Rust

teletext

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

claunia

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/ccextractor#2769